High-accuracy web search and research via Parallel.ai API. Optimized for AI agents with rich excerpts and citations. Supports agentic mode for token-efficien...
Security Analysis
medium confidenceThe skill mostly does what it says (wraps Parallel.ai APIs) but has inconsistent handling of credentials (a hard-coded API key fallback), uses undeclared environment variables for authenticated browsing, and exposes webhook/third-party integrations that increase exfiltration risk — review before installing.
Name/description match the files and runtime instructions: the scripts call Parallel.ai search, extract, findall, monitor, task, and task-run endpoints. Required PARALLEL_API_KEY is appropriate for this purpose.
Most instructions stay within the declared purpose (calls to Parallel.ai). However the skill accepts webhook URLs (monitor.create) and allows passing 'mcp_servers' for authenticated browsing (task.py), which cause data or credentials to be sent to third parties. search.py falls back to a hard-coded API key if PARALLEL_API_KEY is not set (inconsistent with other scripts that exit), which means the skill can operate under an embedded credential you did not provide.
This is instruction-only (no install spec that downloads arbitrary archives). It uses Python scripts and recommends 'pip install parallel-web' which is a normal package install; no unusual installers or remote extracts are present.
Declared primaryEnv is only PARALLEL_API_KEY which is appropriate. But the code optionally uses other env vars not declared in metadata (BROWSERUSE_API_KEY for authenticated browsing, PARALLEL_MAX_WAIT) and search.py contains a hard-coded fallback API key string. Requiring or using extra credentials without declaring them and embedding an API key are disproportionate and risky.
The skill does not request always:true, does not modify other skills, and contains no code that persists itself into global agent config. Autonomous invocation is allowed (default) but not combined with other high privileges.
Guidance
This skill appears to implement a legitimate Parallel.ai client, but there are a few red flags to review before installing: - Inspect and remove the hard-coded API key in scripts/search.py. A hard-coded fallback means the skill may run using a credential you don't control; this can incur costs or leak usage to someone else. Replace it with strict failure when PARALLEL_API_KEY is missing or document an explicit demo key policy. - Be aware of optional env vars not declared in the registry (BROWSERUSE_API_KEY, PARALLEL_MAX_WAIT). If you provide BROWSERUSE_API_KEY, the skill will forward it to an external MCP endpoint (browser-use.com) for authenticated browsing — that enables access to gated pages but also means sensitive page contents or credentials may be shared with that third party. - Monitor webhooks and callbacks: monitor.create accepts a webhook URL that the Parallel service will call. Do not configure untrusted webhook URLs, since monitors may send content or alerts to those endpoints. - Verify the pip package 'parallel-web' and the upstream Parallel.ai service before supplying your API key. Check account usage/quotas after first use. - If you install: (1) remove or rotate any embedded keys, (2) run scripts in an isolated environment, and (3) prefer providing your own PARALLEL_API_KEY and avoid supplying optional third-party browsing keys or webhooks unless you trust those endpoints. Given these inconsistencies and the embedded key, I recommend manual code review and remediation before enabling this skill for production use.
Latest Release
v1.2.1
Fix display name (remove Clawdbot prefix)
More by @mvanhorn
Published by @mvanhorn on ClawHub
